Différences

Ci-dessous, les différences entre deux révisions de la page.

--- back2root:reverse-engineering:disassembler_decompilier [2023/02/18 18:23] – [Commercial Windows Disassemblers] frater
+++ back2root:reverse-engineering:disassembler_decompilier [2023/02/18 20:30] (Version actuelle) – [Further reading] frater
@@ Ligne 35: / Ligne 35: @@
 ==== Commercial Freeware/Shareware Windows Disassemblers ====
-;OllyDbg: OllyDbg is one of the most popular disassemblers recently. It has a large community and a wide variety of plugins available. It emphasizes binary code analysis. Supports x86 instructions only (no x86_64 support for now, although it is on the way).
+  * [[http://www.ollydbg.de/|OllyDbg]] is one of the most popular disassemblers recently. It has a large community and a wide variety of plugins available. It emphasizes binary code analysis. Supports x86 instructions only (no x86_64 support for now, although it is on the way).
-:http://www.ollydbg.de/ (official website)
-:http://www.openrce.org/downloads/browse/OllyDbg_Plugins (plugins)
+  * [[http://www.openrce.org/downloads/browse/OllyDbg_Plugins|plugins]]
-:http://www.ollydbg.de/odbg64.html (64 bit version)
+  * [[http://www.ollydbg.de/odbg64.html|64 bit version]]
 ==== Free Windows Disassemblers ====
-;Capstone: Capstone is an open source disassembly framework for multi-arch (including support for x86, x86_64) & multi-platform with advanced features.
+  * [[http://www.capstone-engine.org/|Capstone]] is an open source disassembly framework for multi-arch (including support for x86, x86_64) & multi-platform with advanced features.
-:http://www.capstone-engine.org/
+  * [[https://github.com/zyantific/zydis|Zydis]] Fast and lightweight x86/x86-64 decoder library. It does not offer disassembler features such as linear sweep or recursive disassembling.
+  * [[http://www.agner.org/optimize/#objconv|Objconv]] A command line disassembler supporting 16, 32, and 64 bit x86 code. Latest instruction set (SSE4, AVX, XOP, FMA, etc.), several object file formats, several assembly syntax dialects. Windows, Linux, BSD, Mac. Intelligent analysis.
+  * [[http://www.simtel.net/product.php|IDA 3.7]] (search for ''ida37fw'') A DOS GUI tool that behaves very much like IDA Pro, but is considerably more limited. It can disassemble code for the Z80, 6502, Intel 8051, Intel i860, and PDP-11 processors, as well as x86 instructions up to the 486.
+  * IDA Pro Freeware: Behaves almost exactly like IDA Pro, but disassembles only Intel x86 opcodes and is Windows-only. It can disassemble instructions for those processors available as of 2003. Free for non-commercial use.
-; Zydis: Fast and lightweight x86/x86-64 decoder library. It does not offer disassembler features such as linear sweep or recursive disassembling.
+<WRAP box 60%>
-: https://github.com/zyantific/zydis
+  * [[http://www.themel.com/idafree.zip|version 4.1]]
+  * [[http://www.datarescue.be/idafreeware/freeida43.exe|version 4.3]]
-;Objconv: A command line disassembler supporting 16, 32, and 64 bit x86 code. Latest instruction set (SSE4, AVX, XOP, FMA, etc.), several object file formats, several assembly syntax dialects. Windows, Linux, BSD, Mac. Intelligent analysis.
+  * [[https://www.scummvm.org/frs/extras/IDA/idafree50.exe|version 5.0]]
-* http://www.agner.org/optimize/#objconv
+  * [[https://www.hex-rays.com/products/ida/support/download_freeware.shtml|version 7.0]]
+</WRAP>
-;IDA 3.7: A DOS GUI tool that behaves very much like IDA Pro, but is considerably more limited. It can disassemble code for the Z80, 6502, Intel 8051, Intel i860, and PDP-11 processors, as well as x86 instructions up to the 486.
-*http://www.simtel.net/product.php (search for '''ida37fw''')
-;IDA Pro Freeware: Behaves almost exactly like IDA Pro, but disassembles only Intel x86 opcodes and is Windows-only. It can disassemble instructions for those processors available as of 2003. Free for non-commercial use.
-*(version 4.1) http://www.themel.com/idafree.zip
-*(version 4.3) http://www.datarescue.be/idafreeware/freeida43.exe
-*(version 5.0) https://www.scummvm.org/frs/extras/IDA/idafree50.exe
-*(version 7.0) https://www.hex-rays.com/products/ida/support/download_freeware.shtml
-;BORG Disassembler: BORG is an excellent Win32 Disassembler with GUI.
-:http://www.caesum.com/
-;HT Editor: An analyzing disassembler for Intel x86 instructions. The latest version runs as a console GUI program on Windows, but there are versions compiled for Linux as well.
-:http://hte.sourceforge.net/
-;diStorm64: diStorm is an open source highly optimized stream disassembler library for 80x86 and AMD64.
-:http://ragestorm.net/distorm/
-;crudasm: crudasm is an open source disassembler with a variety of options. It is a work in progress and is bundled with a partial decompiler.
-:http://sourceforge.net/projects/crudasm9/
-;BeaEngine: BeaEngine is a complete disassembler library for IA-32 and intel64 architectures (coded in C and usable in various languages : C, Python, Delphi, PureBasic, WinDev, masm, fasm, nasm, GoAsm).
-:https://github.com/BeaEngine/beaengine
-;Visual DuxDebugger: is a 64-bit debugger disassembler for Windows.
-:http://www.duxcore.com/products.html
-;BugDbg: is a 64-bit user-land debugger designed to debug native 64-bit applications on Windows.
-:http://www.pespin.com/
-;DSMHELP: Disassemble Help Library is a disassembler library with single line Epimorphic assembler. Supported instruction sets - Basic,System,SSE,SSE2,SSE3,SSSE3,SSE4,SSE4A,MMX,FPU,3DNOW,VMX,SVM,AVX,AVX2,BMI1,BMI2,F16C,FMA3,FMA4,XOP.
-:http://dsmhelp.narod.ru/ (in Russian)
-;ArkDasm: is a 64-bit interactive disassembler and debugger for Windows. Supported processor: x64 architecture (Intel x64 and AMD64)
-:http://www.arkdasm.com/
-;SharpDisam: is a C# port of the udis86 x86 / x86-64 disassembler
-:http://sharpdisasm.codeplex.com/
-;CFF Explorer: Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc.
-:ntcore.com
-;bddisasm: fast, lightweight, x86/x64 instruction decoding library.
-:github.com/bitdefender/bddisasm
+  * [[http://www.caesum.com/|BORG Disassembler]]: BORG is an excellent Win32 Disassembler with GUI.
+  * [[http://hte.sourceforge.net/|HT Editor]]: An analyzing disassembler for Intel x86 instructions. The latest version runs as a console GUI program on Windows, but there are versions compiled for Linux as well.
+  * [[http://ragestorm.net/distorm/|diStorm64]]: diStorm is an open source highly optimized stream disassembler library for 80x86 and AMD64.
+  * [[http://sourceforge.net/projects/crudasm9/|crudasm]] crudasm is an open source disassembler with a variety of options. It is a work in progress and is bundled with a partial decompiler.
+  * [[https://github.com/BeaEngine/beaengine|BeaEngine]]: BeaEngine is a complete disassembler library for IA-32 and intel64 architectures (coded in C and usable in various languages : C, Python, Delphi, PureBasic, WinDev, masm, fasm, nasm, GoAsm).
+  * [[http://www.duxcore.com/products.html|Visual DuxDebugger]]: is a 64-bit debugger disassembler for Windows.
+  * [[http://www.pespin.com/|BugDbg]]: is a 64-bit user-land debugger designed to debug native 64-bit applications on Windows.
+  * [[http://dsmhelp.narod.ru/|DSMHELP]]: Disassemble Help Library is a disassembler library with single line Epimorphic assembler. Supported instruction sets - Basic,System,SSE,SSE2,SSE3,SSSE3,SSE4,SSE4A,MMX,FPU,3DNOW,VMX,SVM,AVX,AVX2,BMI1,BMI2,F16C,FMA3,FMA4,XOP. (in Russian)
+  * [http://www.arkdasm.com/|ArkDasm]]: is a 64-bit interactive disassembler and debugger for Windows. Supported processor: x64 architecture (Intel x64 and AMD64)
+  * [[http://sharpdisasm.codeplex.com/|SharpDisam]]: is a C# port of the udis86 x86 / x86-64 disassembler
+  * [[http://ntcore.com|CFF Explorer]]: Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc.
+  * [[https://github.com/bitdefender/bddisasm|bddisasm]]: fast, lightweight, x86/x64 instruction decoding library.
 ==== Unix Disassemblers ====
 Many of the Unix disassemblers, especially the open source ones, have been ported to other platforms, like Windows (mostly using MinGW or Cygwin). Some Disassemblers like otool ([OS X) are distro-specific.
-;Capstone: Capstone is an open source disassembly framework for multi-arch (including support for x86, x86_64) & multi-platform (including Mac OSX, Linux, *BSD, Android, iOS, Solaris) with advanced features.
+  * [[http://www.capstone-engine.org/|Capstone]]: Capstone is an open source disassembly framework for multi-arch (including support for x86, x86_64) & multi-platform (including Mac OSX, Linux, *BSD, Android, iOS, Solaris) with advanced features.
-:http://www.capstone-engine.org/
+  * [[http://bastard.sourceforge.net/|Bastard Disassembler]]: The Bastard disassembler is a powerful, scriptable disassembler for Linux and FreeBSD.
+  * ndisasm: NASM's disassembler for x86 and x86-64. Works on DOS, Windows, Linux, Mac OS X and various other systems.
-;Bastard Disassembler: The Bastard disassembler is a powerful, scriptable disassembler for Linux and FreeBSD.
+  * [[http://udis86.sourceforge.net/|udis86]]: Disassembler Library for x86 and x86-64
-:http://bastard.sourceforge.net/
+  * [[https://github.com/zyantific/zydis|Zydis]]: Fast and lightweight x86/x86-64 disassembler library.
+  * Objconv: See above.
-;ndisasm: NASM's disassembler for x86 and x86-64. Works on DOS, Windows, Linux, Mac OS X and various other systems.
+  * [[http://home.hccnet.nl/a.w.m.van.der.horst/ciasdis.html|ciasdis]]: The official name of ciasdis is ''computer_intelligence_assembler_disassembler''. This Forth-based tool allows to incrementally and interactively build knowledge about a code body. It is unique that all disassembled code can be re-assembled to the exact same code. Processors are 8080, 6809, 8086, 80386, Pentium I en DEC Alpha. A scripting facility aids in analyzing Elf and MSDOS headers and makes this tool extendable. The Pentium I ciasdis is available as a binary image, others are in source form, loadable onto lina Forth, available from the same site.
+  * objdump : comes standard, and is typically used for general inspection of binaries. Pay attention to the relocation option and the dynamic symbol table option.
-; udis86: Disassembler Library for x86 and x86-64
+  * gdb : comes standard, as a debugger, but is very often used for disassembly. If you have loose hex dump data that you wish to disassemble, simply enter it (interactively) over top of something else or compile it into a program as a string like so: char foo[] = {0x90, 0xcd, 0x80, 0x90, 0xcc, 0xf1, 0x90};
-: http://udis86.sourceforge.net/
+  * [[http://lida.sourceforge.net|lida]] linux interactive disassembler: an interactive disassembler with some special functions like a crypto analyzer. Displays string data references, does code flow analysis, and does not rely on objdump. Utilizes the Bastard disassembly library for decoding single opcodes. The project was started in 2004 and remains dormant to this day.
+  * [[http://code.google.com/p/dissy/|dissy]] : This program is a interactive disassembler that uses objdump.
-; Zydis: Fast and lightweight x86/x86-64 disassembler library.
+  * [[http://github.com/SimonKagstrom/emilpro|EmilPRO]] : replacement for the deprecated dissy disassembler.
-: https://github.com/zyantific/zydis
+  * x86dis : This program can be used to display binary streams such as the boot sector or other unstructured binary files.
+  * [[http://www.tucows.com/preview/59983/LDasm|ldasm]]: LDasm (Linux Disassembler) is a Perl/Tk-based GUI for objdump/binutils that tries to imitate the 'look and feel' of W32Dasm. It searches for cross-references (e.g. strings), converts the code from GAS to a MASM-like style, traces programs and much more. Comes along with PTrace, a process-flow-logger.  Last updated in 2002, available from Tucows.
-;Objconv: See above.
+  * llvm: LLVM has two interfaces to its disassembler:
-;ciasdis: The official name of ciasdis is ''computer_intelligence_assembler_disassembler''. This Forth-based tool allows to incrementally and interactively build knowledge about a code body. It is unique that all disassembled code can be re-assembled to the exact same code. Processors are 8080, 6809, 8086, 80386, Pentium I en DEC Alpha. A scripting facility aids in analyzing Elf and MSDOS headers and makes this tool extendable. The Pentium I ciasdis is available as a binary image, others are in source form, loadable onto lina Forth, available from the same site.
-:http://home.hccnet.nl/a.w.m.van.der.horst/ciasdis.html
-;objdump : comes standard, and is typically used for general inspection of binaries. Pay attention to the relocation option and the dynamic symbol table option.
-;gdb : comes standard, as a debugger, but is very often used for disassembly. If you have loose hex dump data that you wish to disassemble, simply enter it (interactively) over top of something else or compile it into a program as a string like so: char foo[] = {0x90, 0xcd, 0x80, 0x90, 0xcc, 0xf1, 0x90};
-;lida linux interactive disassembler: an interactive disassembler with some special functions like a crypto analyzer. Displays string data references, does code flow analysis, and does not rely on objdump. Utilizes the Bastard disassembly library for decoding single opcodes. The project was started in 2004 and remains dormant to this day.
-:http://lida.sourceforge.net
-;dissy : This program is a interactive disassembler that uses objdump.
-: http://code.google.com/p/dissy/
-;EmilPRO : replacement for the deprecated dissy disassembler.
-:http://github.com/SimonKagstrom/emilpro
-;x86dis : This program can be used to display binary streams such as the boot sector or other unstructured binary files.
-;ldasm: LDasm (Linux Disassembler) is a Perl/Tk-based GUI for objdump/binutils that tries to imitate the 'look and feel' of W32Dasm. It searches for cross-references (e.g. strings), converts the code from GAS to a MASM-like style, traces programs and much more. Comes along with PTrace, a process-flow-logger.  Last updated in 2002, available from Tucows.
-:http://www.tucows.com/preview/59983/LDasm
-;llvm: LLVM has two interfaces to its disassembler:
-:<dl><dt><tt>llvm-objdump</tt></dt><dd>Mimics GNU objdump.</dd><dt><tt>llvm-mc</tt></dt><dd>See [http://blog.llvm.org/2010/01/x86-disassembler.html the LLVM blog]. Example usage:<div class="mw-code">$ echo '1 2' | llvm-mc -disassemble -triple=x86_64-apple-darwin9<br>addl %eax, (%rdx)<br>$ echo '0x0f 0x1 0x9' | llvm-mc -disassemble -triple=x86_64-apple-darwin9<br>sidt (%rcx)<br>$ echo '0x0f 0xa2' | llvm-mc -disassemble -triple=x86_64-apple-darwin9<br>cpuid<br>$ echo '0xd9 0xff' | llvm-mc -disassemble -triple=i386-apple-darwin9<br>fcos<br></div></dd></dl>
-;otool: OS X's object file displaying tool.
-;edb: A cross platform x86/x86-64 debugger.
+<WRAP round box 60%>
-:https://github.com/eteran/edb-debugger
+  * llvm-objdump : Mimics GNU objdump.
+  * llvm-mc See [[http://blog.llvm.org/2010/01/x86-disassembler.html|the LLVM blog]].
+Example usage:
-;bddisasm: fast, lightweight, x86/x64 instruction decoding library.
+<code>
-:github.com/bitdefender/bddisasm
+$ echo '1 2' | llvm-mc -disassemble -triple=x86_64-apple-darwin9
+addl %eax, (%rdx)
+$ echo '0x0f 0x1 0x9' | llvm-mc -disassemble -triple=x86_64-apple-darwin9
+sidt (%rcx)
+$ echo '0x0f 0xa2' | llvm-mc -disassemble -triple=x86_64-apple-darwin9
+cpuidr
+$ echo '0xd9 0xff' | llvm-mc -disassemble -triple=i386-apple-darwin9
+fcos
+</code>
+</WRAP>
+  * otool: OS X's object file displaying tool.
+  * [[https://github.com/eteran/edb-debugger|edb]]: A cross platform x86/x86-64 debugger.
+  * [[github.com/bitdefender/bddisasm|bddisasm]]: fast, lightweight, x86/x64 instruction decoding library.
 === Disassembler Issues ===
@@ Ligne 170: / Ligne 131: @@
 ===== Decompilation: Is It Possible? =====
-{{Wikipedia|decompiler}}
 In the face of optimizing compilers, it is not uncommon to be asked "Is decompilation even possible?" To some degree, it usually is. Make no mistake, however: an optimizing compiler results in the irretrievable loss of information. An example is in-lining, as explained above, where code called is  combined with its surroundings, such that the places where the original subroutine is called cannot even be identified. An optimizer that reverses that process is comparable to an artificial intelligence program that recreates a poem in a different language. So perfectly operational decompilers are a long way off. At most, current Decompilers can be used as simply an aid for the reverse engineering process leaving lots of arduous work.
 ===== Common Decompilers =====
-;Hex-Rays Decompiler: Hex-Rays is a commercial decompiler. It is made as an extension to popular IDA-Pro disassembler. It is currently the only viable commercially available decompiler which produces usable results. It supports both x86 and ARM architecture.
+  * [[http://www.hex-rays.com/products/decompiler/index.shtml|Hex-Rays Decompiler]] : Hex-Rays is a commercial decompiler. It is made as an extension to popular IDA-Pro disassembler. It is currently the only viable commercially available decompiler which produces usable results. It supports both x86 and ARM architecture.
-:http://www.hex-rays.com/products/decompiler/index.shtml
+  * [[https://github.com/icsharpcode/ILSpy|ILSpy]] : ILSpy is an open source .NET assembly browser and decompiler.
+  * [[https://github.com/nemerle/dcc|DCC]]: DCC is likely one of the oldest decompilers in existence, dating back over 20 years. It serves as a good historical and theoretical frame of reference for the decompilation process in general ([[http://htmlpreview.github.io/?https://github.com/jcdutton/reference/blob/master/Cristina-Cifuentes/dcc.html|Mirrors]],[[https://web.archive.org/web/20131209235003/http://itee.uq.edu.au/~cristina/dcc.html|Archive.org]]). Some of the latest changes include fixes for longstanding memory leaks and a more modern Qt5-based front-end.
+  * [[https://retdec.com/|RetDec]]: The Retargetable Decompiler is a freeware web decompiler that takes in ELF/PE/COFF binaries in Intel x86, ARM, MIPS, PIC32, and PowerPC architectures and outputs C or Python-like code, plus flow charts and control flow graphs. It puts a running time limit on each decompilation. It produces nice results in most cases.
+  * [[https://github.com/uxmal/reko|Reko]]: a modular open-source decompiler supporting both an interactive GUI and a command-line interface. Its pluggable design supports decompilation of a variety of executable formats and processor architectures (8- , 16- , 32- and 64-bit architectures as of 2015). It also supports running unpacking scripts before actual decompilation. It performs global data and type analyses of the binary and yields its results in a subset of C++. [[http://sourceforge.net/projects/decompiler|historic link]]
+  * [[http://www.c4decompiler.com|C4Decompiler]]: C4Decompiler is an interactive, static decompiler under development (Alpha in 2013). It performs global analysis of the binary and presents the resulting C source in a Windows GUI. Context menus support navigation, properties, cross references, C/Asm mixed view and manipulation of the decompile context (function ABI).
+  * [[http://boomerang.sourceforge.net/|Boomerang Decompiler Project]]: Boomerang Decompiler is an attempt to make a powerful, retargetable decompiler. So far, it only decompiles into C with moderate success.
+  * [[http://www.backerstreet.com/rec/rec.htm|Reverse Engineering Compiler]] (REC): REC is a powerful "decompiler" that decompiles native assembly code into a ''C-like'' code representation. The code is half-way between assembly and C, but it is much more readable than the pure assembly is. Unfortunately the program appears to be rather unstable.
+  * [[http://sourceforge.net/projects/exetoc|ExeToC]]: ExeToC decompiler is an interactive decompiler that boasted pretty good results in the past.
+  * [[https://derevenets.com|snowman]]: Snowman is an open source native code to C/C++ decompiler. Supports ARM, x86, and x86-64 architectures. Reads ELF, Mach-O, and PE file formats. Reconstructs functions, their names and arguments, local and global variables, expressions, integer, pointer and structural types, all types of control-flow structures, including switch. Has a nice graphical user interface with one-click navigation between the assembler code and the reconstructed program. Has a command-line interface for batch processing.
+  * [[Ghidra]]: Ghidra is a reverse engineering package that includes a decompiler. It was written by the NSA for internal work, and apparently released because they didn't want to have to re-train every new person they hired. It is written in Java.
-;ILSpy: ILSpy is an open source .NET assembly browser and decompiler.
+  *[[http://decompile-it.com|Decompile-It]] <Dead Link>: Decompile-It was a web-based decompiler for 32-bit Linux x86 executables compiled with -g, i.e. debug symbols.
-:https://github.com/icsharpcode/ILSpy
-;DCC: DCC is likely one of the oldest decompilers in existence, dating back over 20 years. It serves as a good historical and theoretical frame of reference for the decompilation process in general (Mirrors: [http://htmlpreview.github.io/?https://github.com/jcdutton/reference/blob/master/Cristina-Cifuentes/dcc.html][https://web.archive.org/web/20131209235003/http://itee.uq.edu.au/~cristina/dcc.html]). As of 2015, DCC is an [https://github.com/nemerle/dcc active project]. Some of the latest changes include fixes for longstanding memory leaks and a more modern Qt5-based front-end.
+=== A General view of Disassembling ===
-;RetDec: The Retargetable Decompiler is a freeware web decompiler that takes in ELF/PE/COFF binaries in Intel x86, ARM, MIPS, PIC32, and PowerPC architectures and outputs C or Python-like code, plus flow charts and control flow graphs. It puts a running time limit on each decompilation. It produces nice results in most cases.
-:https://retdec.com/
-;Reko: a modular open-source decompiler supporting both an interactive GUI and a command-line interface. Its pluggable design supports decompilation of a variety of executable formats and processor architectures (8- , 16- , 32- and 64-bit architectures as of 2015). It also supports running unpacking scripts before actual decompilation. It performs global data and type analyses of the binary and yields its results in a subset of C++.
-:http://sourceforge.net/projects/decompiler
-:https://github.com/uxmal/reko
-;C4Decompiler: C4Decompiler is an interactive, static decompiler under development (Alpha in 2013). It performs global analysis of the binary and presents the resulting C source in a Windows GUI. Context menus support navigation, properties, cross references, C/Asm mixed view and manipulation of the decompile context (function ABI).
-:http://www.c4decompiler.com
-;Boomerang Decompiler Project: Boomerang Decompiler is an attempt to make a powerful, retargetable decompiler. So far, it only decompiles into C with moderate success.
-:http://boomerang.sourceforge.net/
-;Reverse Engineering Compiler (REC): REC is a powerful "decompiler" that decompiles native assembly code into a ''C-like'' code representation. The code is half-way between assembly and C, but it is much more readable than the pure assembly is. Unfortunately the program appears to be rather unstable.
-:http://www.backerstreet.com/rec/rec.htm
-;ExeToC: ExeToC decompiler is an interactive decompiler that boasted pretty good results in the past.
-:http://sourceforge.net/projects/exetoc
-;snowman: Snowman is an open source native code to C/C++ decompiler. Supports ARM, x86, and x86-64 architectures. Reads ELF, Mach-O, and PE file formats. Reconstructs functions, their names and arguments, local and global variables, expressions, integer, pointer and structural types, all types of control-flow structures, including switch. Has a nice graphical user interface with one-click navigation between the assembler code and the reconstructed program. Has a command-line interface for batch processing.
-:https://derevenets.com
-;Ghidra: Ghidra is a reverse engineering package that includes a decompiler. It was written by the NSA for internal work, and apparently released because they didn't want to have to re-train every new person they hired. It is written in Java.
-<!-- DEAD! ;Decompile-It: Decompile-It was a web-based decompiler for 32-bit Linux x86 executables compiled with -g, i.e. debug symbols.
-:http://decompile-it.com {{dead link}} -->
-== A General view of Disassembling ==
 === 8 bit CPU code ===
-Most embedded CPUs are 8-bit CPUs.<ref name=turley>
+Most embedded CPUs are 8-bit CPUs.
 Jim Turley.
-[http://www.embedded.com/electronics-blogs/significant-bits/4024488/The-Two-Percent-Solution "The Two Percent Solution"].
+[[http://www.embedded.com/electronics-blogs/significant-bits/4024488/The-Two-Percent-Solution|The Two Percent Solution]].
 .
-</ref>
-Normally when a subroutine is finished, it returns to executing the next address immediately following the <code>call</code> instruction.
+Normally when a subroutine is finished, it returns to executing the next address immediately following the ''call'' instruction.
 However, assembly-language programmers occasionally use several different techniques that adjust the return address, making disassembly more difficult:
-*jump tables,
+  * jump tables,
-*calculated jumps, and
+  * calculated jumps, and
-*a parameter after the call instruction.
+  * a parameter after the call instruction.
 ==== jump tables and other calculated jumps ====
 On 8-bit CPUs, calculated jumps are often implemented by pushing a calculated "return" address to the stack, then jumping to that address using the "return" instruction.
-For example, the [http://wiki.nesdev.com/w/index.php/RTS_Trick RTS Trick]
-uses this technique to implement jump tables (branch table).
+For example, the [[http://wiki.nesdev.com/w/index.php/RTS_Trick|RTS Trick]] uses this technique to implement jump tables (branch table).
 ==== parameters after the call instruction ====
@@ Ligne 236: / Ligne 174: @@
 The technique may make disassembly more difficult.
-A simple example of this is the <code>write()</code> procedure implemented as follows:
+A simple example of this is the ''write()'' procedure implemented as follows:
-<syntaxhighlight lang=asm>
+<code asm>
 ; assume ds = cs, e.g like in boot sector code
 start:
@@ Ligne 258: / Ligne 197: @@
 write   endp
         end start
-</syntaxhighlight>
+</code>
 A macro-assembler like TASM will then use a macro like this one:
-<syntaxhighlight lang=asm>
+<code asm>
 _write macro message
        call write
@@ Ligne 267: / Ligne 206: @@
        db 0
 _write endm
-</syntaxhighlight>
+</code>
 From a human disassembler's point of view, this is a nightmare, although this is straightforward to read in the original Assembly source code, as there is no way to decide if the db should be interpreted or not from the binary form, and this may contain various jumps to real executable code area, triggering analysis of code that should never be analysed, and interfering with the analysis of the real code (e.g. disassembling the above code from 0000h or 0001h won't give the same results at all).
@@ Ligne 274: / Ligne 213: @@
 === 32 bit CPU code ===
-Most 32-bit CPUs use the ARM instruction set.<ref name=turley /><ref>
+Most 32-bit CPUs use the ARM instruction set.
 Mark Hachman.
-[http://www.extremetech.com/extreme/52180-arm-cores-climb-into-3g-territory "ARM Cores Climb Into 3G Territory"].
+[[http://www.extremetech.com/extreme/52180-arm-cores-climb-into-3g-territory|ARM Cores Climb Into 3G Territory]]
 .
 "Although Intel and AMD receive the bulk of attention in the computing world, ARM’s embedded 32-bit architecture, ... has outsold all others."
-</ref><ref>
 Tom Krazit.
-[http://news.cnet.com/ARMed-for-the-living-room/2100-1006_3-6056729.html "ARMed for the living room"].
-"ARM licensed 1.6 billion cores [in 2005]".
+[[http://news.cnet.com/ARMed-for-the-living-room/2100-1006_3-6056729.html|ARMed for the living room]]
+"ARM licensed 1.6 billion cores [in 2005]"
 .
-</ref>
 Typical ARM assembly code is a series of subroutines, with literal constants scattered between subroutines.
-The [[Embedded_Systems/Mixed_C_and_Assembly_Programming#ARM | standard prolog and epilog]] for subroutines is pretty easy to recognize.
 === A brief list of disassemblers ===
-* [http://home.hccnet.nl/a.w.m.van.der.horst/ciasdis.html ciasdis] "an assembler where the elements opcode, operands and modifiers are all objects, that are reusable for disassembly." For 8080 8086 80386 Alpha 6809 and should be usable for Pentium 68000 6502 8051.
+  * [[http://home.hccnet.nl/a.w.m.van.der.horst/ciasdis.html|ciasdis]] "an assembler where the elements opcode, operands and modifiers are all objects, that are reusable for disassembly." For 8080 8086 80386 Alpha 6809 and should be usable for Pentium 68000 6502 8051.
-* [http://radare.org/ radare, the reverse engineering framework] includes open-source tools to disassemble code for many processors including x86, ARM, PowerPC, m68k, etc. several virtual machines including java, msil, etc., and for many platforms including Linux, BSD, OSX, Windows, iPhoneOS, etc.
+  * [[http://radare.org/|radare, the reverse engineering framework]] includes open-source tools to disassemble code for many processors including x86, ARM, PowerPC, m68k, etc. several virtual machines including java, msil, etc., and for many platforms including Linux, BSD, OSX, Windows, iPhoneOS, etc.
-* IDA, the Interactive Disassembler ( [http://www.hex-rays.com/idapro/ IDA Pro] ) can disassemble code for a huge number of processors, including ARM Architecture (including Thumb and Thumb-2), ATMEL AVR, INTEL 8051, INTEL 80x86, MOS Technologies 6502, MC6809, MC6811, M68H12C, MSP430, PIC 12XX, PIC 14XX, PIC 18XX, PIC 16XXX, Zilog Z80, etc.
+  * IDA, the Interactive Disassembler ( [[http://www.hex-rays.com/idapro/|IDA Pro]] ) can disassemble code for a huge number of processors, including ARM Architecture (including Thumb and Thumb-2), ATMEL AVR, INTEL 8051, INTEL 80x86, MOS Technologies 6502, MC6809, MC6811, M68H12C, MSP430, PIC 12XX, PIC 14XX, PIC 18XX, PIC 16XXX, Zilog Z80, etc.
-* objdump, part of the GNU binutils, can disassemble code for several processors and platforms. binutils is an important part of the toolchain as it provides the linker, assembler and other utilties (like objdump) to manipulate executables on the target platform, and is available for most popular platforms.
+  * objdump, part of the GNU binutils, can disassemble code for several processors and platforms. binutils is an important part of the toolchain as it provides the linker, assembler and other utilties (like objdump) to manipulate executables on the target platform, and is available for most popular platforms.
-**For OS X/BSD systems, there is a rough equivalent called otool in the XCode kit.
+  * For OS X/BSD systems, there is a rough equivalent called otool in the XCode kit.
-*{{DMOZ|Computers/Programming/Disassemblers/|Disassemblers}} lists a huge number of disassemblers
+  * [[http://www.program-transformation.org/Transform/DisAssembly|Program transformation wiki: disassembly]] lists many highly recommended disassemblers
-* [http://www.program-transformation.org/Transform/DisAssembly Program transformation wiki: disassembly] lists many highly recommended disassemblers
+  * [[http://sourceforge.net/search/?words=disassemble|search for "disassemble" at SourceForge]] shows many disassemblers for a variety of CPUs.
-* [http://sourceforge.net/search/?words=disassemble search for "disassemble" at SourceForge] shows many disassemblers for a variety of CPUs.
+  * [[http://hopperapp.com|Hopper]] is a disassembler that runs on OS-X and disassembles 32/64-bit OS-X and windows binaries.
-* [http://hopperapp.com Hopper] is a disassembler that runs on OS-X and disassembles 32/64-bit OS-X and windows binaries.
+  * The [[http://www.cs.tufts.edu/~nr/cs257/archive/cristina-cifuentes/computer00.pdf|University of Queensland Binary Translator (UQBT)]] is a reusable, component-based binary-translation framework that supports CISC, RISC, and stack-based processors.
-* The [http://www.cs.tufts.edu/~nr/cs257/archive/cristina-cifuentes/computer00.pdf University of Queensland Binary Translator (UQBT)] is a reusable, component-based binary-translation framework that supports CISC, RISC, and stack-based processors.
+=== Further reading ====
-== Further reading ==
+  * [[http://www.crackmes.de/]] : reverse engineering challenges
-{{reflist}}
+  * "A Challengers Handbook" by Caesum [[http://www.caesum.com/handbook/contents.htm]] has some tips on reverse engineering programs in JavaScript, Flash Actionscript (SWF), Java, etc.
-* http://www.crackmes.de/ : reverse engineering challenges
+  * the Open Source Institute occasionally has reverse engineering challenges among its other brainteasers.[[http://www.osix.net/]]
-* "A Challengers Handbook" by Caesum [http://www.caesum.com/handbook/contents.htm] has some tips on reverse engineering programs in JavaScript, Flash Actionscript (SWF), Java, etc.
+  * The Program Transformation wiki has a [[http://www.program-transformation.org/Transform/ReengineeringWiki|Reverse engineering and Re-engineering Roadmap]], and discusses disassemblers, decompilers, and tools for translating programs from one high-level language to another high-level language.
-* the Open Source Institute occasionally has reverse engineering challenges among its other brainteasers.[http://www.osix.net/]
+  * [[http://reverseengineering.stackexchange.com/questions/1817/is-there-any-disassembler-second-to-ida|Other disassemblers with multi-platform support]]
-* The Program Transformation wiki has a [http://www.program-transformation.org/Transform/ReengineeringWiki Reverse engineering and Re-engineering Roadmap], and discusses disassemblers, decompilers, and tools for translating programs from one high-level language to another high-level language.
-* [http://reverseengineering.stackexchange.com/questions/1817/is-there-any-disassembler-second-to-ida Other disassemblers with multi-platform support]
-{{TopNav|prev=Assemblers and Compilers|next=Disassembly Examples}}

Nox-Rhea WiKi

Outils pour utilisateurs

Outils du site

Différences

Outils de la page